Graphing Suspicious URL Relationships

10,000 websites have been compromised to redirect users to a new exploit toolkit called Nice Pack, discovered Wednesday, attempts to take advantage of flaws in users’ third-party apps, such as Java and Adobe, to install the “Zero Access Trojan,”. Malicious URL are not always related to a single domain, attackers mostly try to place redirect on many different domains to make as much as possible malware source unknown for legitimate user, for example you can check all users history to identify the malicious domain that infected victims computer but you will not find in all the previous navigation the malicious website, techniques used by malware writer may include a redirection with malicious JavaScript, embedded iframe, or other factor.

Now you can display all previous activity using HTTP requests and a simple sniffer and find out what really the computer downloaded while browsing certain websites. For this you can use one of the previously mentioned utility such as wireshark, tshark or TCPDump.

Next and for fast and clear result you can also consider Junpack-n to graph URL relationships in packet captures and determine the steps that led to a compromise. jsunpack-n emulates browser functionality when visiting a URL. It’s purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:

PDF files – samples/sample-pdf.file

Packet Captures – samples/sample-http-exploit.pcap

HTML files

JavaScript files

SWF files

This project contains the source code which runs at the website http://jsunpack.jeek.org/. Users can upload files, or enter script contents and URLs to decode. If you choose to install jsunpack-n on your own system, you can run it with the following command to fetch and decode a URL:

$ ./jsunpackn.py -u URL

Optionally, you can specify the -a option, which fetches further decoded URLs or paths. If you wish to decode a local file instead, you can simply run:

$ ./jsunpackn.py samples/sample-pdf.file

As a result you can have a graph that describes the real URL relationships as follows:

Those are the exact commands in the exact order as they appear in the book. Big evidence being the “” after “rules “. That is not part of a real command, it was used in the book to indicate a line break. If you had even tried using the commands before pasting them, you would have realized that “” is not part of the command itself.

Regarding your statement “I already posted about your book several time on my blog”….that is perfectly fine. I appreciate you giving credit where credit is due. However, just because you’ve mentioned a source in the past, that doesn’t mean you’re exempt from mentioning it in the future (if you cite material from it). For example, If I write a blog post and say “here are my favorite books”…and then months later I write a paper, publish some other documents, present at a conference on material from those books…I still have to cite the books each and every time.